SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest
for our community. We are proud to offer content from Matasano at this time and will be adding more
in the coming weeks.
http://www.securityfocus.com/blogs

I. FRONT AND CENTER
---------------------
1. Facebook, Privacy and Contracts
On February 4, the social networking site Facebook made a minor change to its terms of service - the
online contract that every user must agree to when they create an account.
Facebook was trying to solve a legitimate problem: People who deleted their accounts did not realize
that information that they shared with other users would persist on their Facebook friends'
accounts. Thus, they needed some way of telling users that the information might remain.
http://www.securityfocus.com/columnists/497

2. Act Locally, Pwn Globally
By Jeffrey Carr
On December 24, 2008, the Pakistani Whackerz Cr3w defaced a part of India's critical infrastructure,
the Eastern Railway system Web site. The defacement appeared on a scroll feed which read: "Cyber war
has been declared on Indian cyberspace by Whackerz- Pakistan (24 Dec-2008)."
http://www.securityfocus.com/columnists/496

Successful exploits may allow an attacker to execute arbitrary code with the privileges of the user
running the affected application. Failed exploit attempts will likely result in denial-of-service
conditions.

Exploiting these issues may allow attackers to crash the application, denying service to legitimate
users. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code,
but this has not been confirmed.

A remote attacker can exploit these issues to execute arbitrary code with SYSTEM-level privileges.
Successfully exploiting this issue will result in the complete compromise of affected computers.
Failed exploit attempts will result in a denial-of-service condition.

An attacker can exploit this issue to execute arbitrary code in the context of the Unix cache
manager, resulting in a complete compromise of the affected computer. Failed exploit attempts will
likely result in a denial of service.

Successful exploits may allow an attacker to execute arbitrary code with the privileges of the user
running the affected application. Failed exploit attempts will likely result in denial-of-service
conditions.

UltraISO 9.3.3.2685 is vulnerable; other versions may also be affected.

Successful exploits may allow an attacker to execute arbitrary code with the privileges of the user
running the affected application. Failed exploit attempts will likely result in denial-of-service
conditions.

UltraISO 9.3.3.2685 is vulnerable; other versions may also be affected.

An attacker could exploit this issue by enticing a victim to open a malicious PowerPoint file.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context
of the currently logged-in user.

14. Fortinet FortiClient VPN Connection Name Local Format String Vulnerability
BugTraq ID: 34343
Remote: No
Date Published: 2009-04-02
Relevant URL: http://www.securityfocus.com/bid/34343
Summary:
Fortinet FortiClient is prone to a local format-string vulnerability because it fails to adequately
sanitize user-supplied input before passing it to a formatted-printing function.

Successfully exploiting this issue will allow local attackers to execute arbitrary code with
SYSTEM-level privileges, completely compromising the computer. Failed exploit attempts will likely
result in a denial of service.

FortiClient 3.0.614 is vulnerable; other versions may also be affected.

An attacker may leverage this issue to execute arbitrary script code in the browser of an
unsuspecting user in the context of the affected site and to steal cookie-based authentication
credentials.

NOTE: This issue may be related to the one described in BID 12107 (Business Objects Crystal
Enterprise Report File Cross-Site Scripting Vulnerability). We will update or retire this BID when
more information emerges.

Attackers can exploit these issues to steal cookie-based authentication credentials from legitimate
users of the site, modify the way the site is rendered, access or modify data, exploit latent
vulnerabilities in the underlying database, or delete arbitrary files on the affected computer.
Other attacks are also possible.

Attackers can exploit this issue to crash the affected application, denying service to legitimate
users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this
has not been confirmed.

Apple Safari 3.2.2 and 4 Beta are vulnerable; other versions may also be affected.

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the
subscribed address. The contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively you can also visit
http://www.securityfocus.com/newsletters and unsubscribe via the website.